treewide: disable pie in more places

Some packages don’t work correctly with pie. Here I disable it for: - busybox - linux kernel - kexectools I also get rid of the Musl conditional for disabling pie in GCC and Binutils. Some day we might want to enable PIE without Musl and it will be useful to have the *just* work with our compiler and linkers.
6 years ago · 76c956be5c
parent 08d98b2e38
commit 76c956be5c
11 changed files with 12 additions and 11 deletions
--- a/pkgs/development/compilers/gcc/4.8/default.nix
+++ b/pkgs/development/compilers/gcc/4.8/default.nix
@ -177,7 +177,7 @@ stdenv.mkDerivation ({

  inherit patches;

-  hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
+  hardeningDisable = [ "format" "pie" ];

  outputs = [ "out" "lib" "man" "info" ];
  setOutputFlags = false;
--- a/pkgs/development/compilers/gcc/4.9/default.nix
+++ b/pkgs/development/compilers/gcc/4.9/default.nix
@ -185,7 +185,7 @@ stdenv.mkDerivation ({

  inherit patches;

-  hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
+  hardeningDisable = [ "format" "pie" ];

  outputs = if langJava || langGo then ["out" "man" "info"]
    else [ "out" "lib" "man" "info" ];
--- a/pkgs/development/compilers/gcc/5/default.nix
+++ b/pkgs/development/compilers/gcc/5/default.nix
@ -178,7 +178,7 @@ stdenv.mkDerivation ({

  libc_dev = stdenv.cc.libc_dev;

-  hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
+  hardeningDisable = [ "format" "pie" ];

  # This should kill all the stdinc frameworks that gcc and friends like to
  # insert into default search paths.
--- a/pkgs/development/compilers/gcc/6/default.nix
+++ b/pkgs/development/compilers/gcc/6/default.nix
@ -178,7 +178,7 @@ stdenv.mkDerivation ({

  libc_dev = stdenv.cc.libc_dev;

-  hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
+  hardeningDisable = [ "format" "pie" ];

  # This should kill all the stdinc frameworks that gcc and friends like to
  # insert into default search paths.
--- a/pkgs/development/compilers/gcc/7/default.nix
+++ b/pkgs/development/compilers/gcc/7/default.nix
@ -149,7 +149,7 @@ stdenv.mkDerivation ({

  libc_dev = stdenv.cc.libc_dev;

-  hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
+  hardeningDisable = [ "format" "pie" ];

  # This should kill all the stdinc frameworks that gcc and friends like to
  # insert into default search paths.
--- a/pkgs/development/compilers/gcc/8/default.nix
+++ b/pkgs/development/compilers/gcc/8/default.nix
@ -143,7 +143,7 @@ stdenv.mkDerivation ({

  libc_dev = stdenv.cc.libc_dev;

-  hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
+  hardeningDisable = [ "format" "pie" ];

  # This should kill all the stdinc frameworks that gcc and friends like to
  # insert into default search paths.
--- a/pkgs/development/compilers/gcc/snapshot/default.nix
+++ b/pkgs/development/compilers/gcc/snapshot/default.nix
@ -137,7 +137,7 @@ stdenv.mkDerivation ({

  libc_dev = stdenv.cc.libc_dev;

-  hardeningDisable = [ "format" ];
+  hardeningDisable = [ "format" "pie" ];

  postPatch =
    if targetPlatform != hostPlatform || stdenv.cc.libc != null then
--- a/pkgs/development/tools/misc/binutils/default.nix
+++ b/pkgs/development/tools/misc/binutils/default.nix
@ -97,7 +97,7 @@ stdenv.mkDerivation rec {
    then "-Wno-string-plus-int -Wno-deprecated-declarations"
    else "-static-libgcc";

-  hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
+  hardeningDisable = [ "format" "pie" ];

  # TODO(@Ericson2314): Always pass "--target" and always targetPrefix.
  configurePlatforms = [ "build" "host" ] ++ stdenv.lib.optional (stdenv.targetPlatform != stdenv.hostPlatform) "target";
--- a/pkgs/os-specific/linux/busybox/default.nix
+++ b/pkgs/os-specific/linux/busybox/default.nix
@ -42,7 +42,8 @@ stdenv.mkDerivation rec {
    sha256 = "1dzg45vgy2w1xcd3p6h8d76ykhabbvk1h0lf8yb24ikrwlv8cr4p";
  };

-  hardeningDisable = [ "format" ] ++ lib.optionals enableStatic [ "fortify" ];
+  hardeningDisable = [ "format" "pie" ]
+    ++ lib.optionals enableStatic [ "fortify" ];

  patches = [
    ./busybox-in-store.patch
--- a/pkgs/os-specific/linux/kernel/manual-config.nix
+++ b/pkgs/os-specific/linux/kernel/manual-config.nix
@ -269,7 +269,7 @@ stdenv.mkDerivation ((drvAttrs config stdenv.hostPlatform.platform kernelPatches
      ++ optionals stdenv.lib.inNixShell [ pkgconfig ncurses ]
      ;

-  hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" ];
+  hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" "pie" ];

  # Absolute paths for compilers avoid any PATH-clobbering issues.
  makeFlags = commonMakeFlags ++ [
--- a/pkgs/os-specific/linux/kexectools/default.nix
+++ b/pkgs/os-specific/linux/kexectools/default.nix
@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
    sha256 = "1ac20jws8iys9w6dpn4q3hihyx73zkabdwv3gcb779cxfrmq2k2h";
  };

-  hardeningDisable = [ "format" "pic" "relro" ];
+  hardeningDisable = [ "format" "pic" "relro" "pie" ];

  configureFlags = [ "BUILD_CC=${buildPackages.stdenv.cc.targetPrefix}cc" ];
  nativeBuildInputs = [ buildPackages.stdenv.cc ];